Yahoo users can sue over data breaches, judge rules

15 March 2018

Yahoo! would eventually fess up to the breach in 2016, but only after it had already agreed to an acquisition deal with Verizon that would lump Yahoo! in with Aol as part of a new company called "Oath".

The Silicon Valley company admitted in October that the breach affected all 3 billion users, whose names, email addresses, phone numbers, dates of birth, scrambled passwords and security questions and answers may have been stolen.

US District judge Lucy Koh rejected a bid from Verizon Communications, the firm that bought Yahoo's internet business in June past year, to dismiss a number of claims, including for negligence and breach of contract. However, Koh trimmed some claims from the consolidated class-action lawsuit.

Verizon Communications, now Yahoo's parent company, attempted to have the suits brought against them thrown out of court, arguing Yahoo had been targeted by "relentless criminal attacks", according to Reuters, mitigating their responsibility.

The case centers around accusations that Yahoo took too long to notify users of the breaches.

Customers make a plausible argument that "high-ranking executives and managers at Yahoo" engaged in "malicious conduct, " the standard for seeking punishment damages on top of ordinary compensation for consumer harm, U.S. District Judge Lucy Koh in San Jose, California, said in a ruling.

Yahoo and its ownership group have been accused of failing to properly disclose and remedy the 2014 breach which led to the email accounts of three billion customers being exposed to hackers. The U.S. plaintiffs amended their lawsuit in response.

Yahoo allegedly knew its security was flawed well before the breaches but did little to improve it.

In seeking a dismissal, Yahoo said it has always been the target of "relentless criminal attacks", and the plaintiffs' "20/20 hindsight" did not cast doubt on its "unending" efforts to thwart "constantly evolving security threats".